{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4455", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-19T20:23:52.037Z", "datePublished": "2026-03-20T01:34:53.624Z", "dateUpdated": "2026-03-20T14:42:46.323Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.153", "status": "affected", "lessThan": "146.0.7680.153", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in PDFium in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Heap buffer overflow", "cweId": "CWE-122"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-20T01:34:53.624Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"url": "https://issues.chromium.org/issues/488585504"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4455", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:33:21.858143Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:42:46.323Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in PDFium in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)"}], "id": "CVE-2026-4455", "lastModified": "2026-03-20T13:37:50.737", "metrics": {}, "published": "2026-03-20T02:16:38.637", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/488585504"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Heap buffer overflow in PDFium", "id": "2449392", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449392"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A heap buffer overflow flaw was found in the PDFium component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=488585504"], "name": "CVE-2026-4455", "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4455\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4455\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html\nhttps://issues.chromium.org/issues/488585504"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[146.0.7680.153,146.0.7680.153)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-03-20T13:23:29.291757+00:00", "value": {"mitigation_remediation": ["Update Chrome to version 146.0.7680.153 or later", "If an immediate update is not possible, disable automatic PDF rendering or block PDF files in the browser settings", "Monitor for and block suspicious PDF attachments or links until a patch is applied", "Check Google\u2019s release notes and security advisories for further guidance"], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects Google Chrome versions earlier than 146.0.7680.153. Users running any earlier revision of Chrome on any operating system are potentially exposed if they open a malicious PDF document.", "description_and_impact": "A heap buffer overflow was discovered in PDFium used by Google Chrome, allowing a remote attacker to corrupt memory by creating a specially crafted PDF file. The flaw can potentially lead to arbitrary code execution or a crash of the browser. The vulnerability is categorized as high severity by Chromium\u2019s security team and corresponds to CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-Bounds Write).", "risk_and_exploitability": "The CVSS score is 8.8, indicating a high risk to confidentiality, integrity, and availability. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is remote: an adversary can deliver a crafted PDF via email, a malicious website, or any channel that allows the victim to open the file. Since the bug requires only a crafted PDF to be processed, the likelihood of exploitation is significant for exposed users."}}}}, "created": "2026-03-20T08:53:22.249127+00:00", "updated": "2026-03-20T14:14:19.344600+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}